snort signature for new CodeRed varient

From: J Moll (jmoll-lists@my-mbox.com)
Date: Sat Aug 04 2001 - 23:21:11 PDT

Next message: Marc Maiffret: "CodeRedII - New non-variant codered worm - Analysis."

Previous message: Ryan Russell: "CodeRed II (fwd)"
Next in thread: David Brown: "Re: snort signature for new CodeRed varient"
Reply: David Brown: "Re: snort signature for new CodeRed varient"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

All:

I'm using this Snort signature to distinguish between the original and recent 
varient of CodeRed.  I'm sure it can be optimized -- grabbed a bit of the 
binary around the text "CodeRedII" in the packet to cut down on false 
alarms.. putting it out so folks can log the differences.


alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+; content: 
"|46309a02 0000e80a 00000043 6f646552 65644949 008b1c24
ff55d866 0bc00f95|"; depth:624;)


Best Regards,
Joe Moll

-- 
Joseph L. Moll, CISSP -- jmollat_private

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Marc Maiffret: "CodeRedII - New non-variant codered worm - Analysis."
Previous message: Ryan Russell: "CodeRed II (fwd)"
Next in thread: David Brown: "Re: snort signature for new CodeRed varient"
Reply: David Brown: "Re: snort signature for new CodeRed varient"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 23:41:23 PDT